TB 52+ leaks installed dictionary

Description

TB 52 introduced a new header Content-Language with no option to turn it off.

Official ​changelog says about that:Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message.

Mentioned ​RFC warns us (Paragraph 4, Security considerations) that incorrect implementation would lead to a privacy leak, which truly happens. For example, you could forge name, timezone and IP to pretend to be a citizen of Iceland, but Content-Language header would leak Content-Language: ru-English, meaning the author rather comes from Eastern Europe.

Thanks for reporting! Fixed in ​63fa6e5, at least in TorBirdy where we intercept and set the "Content-Language" header to "en-US" for all installations. I will also try to submit a patch for the upstream bug so that this is fixed in Thunderbird for all users.

@sukhbir, by God, please do submit a patch, since core Thunderbird devs still postpone, that’s why 38 ESR is still used on my end. But I see a misunderstanding here as well: idea is not to substitute used dictionary, but make a preference in about:config to not include Content-Language header at all, since this header is metadata itself revealing Thunderbird is the very app used to send and receive mails.

@sukhbir, by God, please do submit a patch, since core Thunderbird devs still postpone, that’s why 38 ESR is still used on my end, which inserts no such header. Precisely, idea is not to substitute used dictionary, but to make a preference in about:config that turns off Content-Language header AT ALL, since presence of this header reveals Thunderbird is the very app used to send and receive mails.